security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1012/T1012.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

267 lines
10 KiB
Markdown
Raw Permalink Blame History

# T1012 - Query Registry
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
<blockquote>
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
- [Atomic Test #2 - Query Registry with Powershell cmdlets](#atomic-test-2---query-registry-with-powershell-cmdlets)
- [Atomic Test #3 - Enumerate COM Objects in Registry with Powershell](#atomic-test-3---enumerate-com-objects-in-registry-with-powershell)
- [Atomic Test #4 - Reg query for AlwaysInstallElevated status](#atomic-test-4---reg-query-for-alwaysinstallelevated-status)
- [Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5---check-software-inventory-logging-sil-status-via-registry)
- [Atomic Test #6 - Inspect SystemStartOptions Value in Registry](#atomic-test-6---inspect-systemstartoptions-value-in-registry)
<br/>
## Atomic Test #1 - Query Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
```
<br/>
<br/>
## Atomic Test #2 - Query Registry with Powershell cmdlets
Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
**Supported Platforms:** Windows
**auto_generated_guid:** 0434d081-bb32-42ce-bcbb-3548e4f2628f
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-ChildItem -Path "HKLM:system\currentcontrolset\services"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
```
<br/>
<br/>
## Atomic Test #3 - Enumerate COM Objects in Registry with Powershell
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
See: https://www.mandiant.com/resources/hunting-com-objects
**Supported Platforms:** Windows
**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | File to output list of COM objects to | string | $env:temp&#92;T1592.002Test1.txt|
#### Attack Commands: Run with `powershell`!
```powershell
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
{try{write-output "$($Position)-$($CLSID)"
write-output "------------"| out-file #{output_file} -append
write-output $($CLSID)| out-file #{output_file} -append
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
$position += 1} catch{}}
```
#### Cleanup Commands:
```powershell
remove-item #{output_file} -force -erroraction silentlycontinue
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
```
<br/>
<br/>
## Atomic Test #4 - Reg query for AlwaysInstallElevated status
The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.
**Supported Platforms:** Windows
**auto_generated_guid:** 6fb4c4c5-f949-4fd2-8af5-ddbc61595223
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
<br/>
<br/>
## Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry
Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively
check for existence of software of interest to them. Status of SIL can be checked via registry.
[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
**Supported Platforms:** Windows
**auto_generated_guid:** 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
```
<br/>
<br/>
## Atomic Test #6 - Inspect SystemStartOptions Value in Registry
The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
**Supported Platforms:** Windows
**auto_generated_guid:** 96257079-cdc1-4aba-8705-3146e94b6dce
#### Attack Commands: Run with `command_prompt`!
```cmd
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
```
<br/>
Reference in New Issue View Git Blame Copy Permalink